CVE-2023-5115
Public on 2023-09-22
Modified on 2024-02-12
Description
The upstream report describes this issue as follows:
When installing a maliciously created Ansible role using 'ansible-galaxy role install', arbitrary files the user has access to can be overwritten. The malicious role must contain a symlink with an absolute path to the target file, followed by a file of the same name (as the symlink) with the contents to write to the target.
When installing a maliciously created Ansible role using 'ansible-galaxy role install', arbitrary files the user has access to can be overwritten. The malicious role must contain a symlink with an absolute path to the target file, followed by a file of the same name (as the symlink) with the contents to write to the target.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Ansible2 Extra | ansible | No Fix Planned | ||
| Amazon Linux 2023 | ansible-core | 2024-02-01 | ALAS2023-2024-505 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
| NVD | CVSSv3 | 6.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N |